| title | description | services | documentationcenter | author | manager | editor | tags | Customer intent | ms.assetid | ms.service | ms.devlang | ms.topic | ms.tgt_pltfrm | ms.workload | ms.date | ms.author | ms.custom |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Route network traffic - tutorial - Azure portal | Microsoft Docs |
In this tutorial, learn how to route network traffic with a route table using the Azure portal. |
virtual-network |
virtual-network |
jimdial |
jeconnoc |
azure-resource-manager |
I want to route traffic from one subnet, to a different subnet, through a network virtual appliance. |
virtual-network |
azurecli |
tutorial |
virtual-network |
infrastructure |
03/13/2018 |
jdial |
mvc |
Azure automatically routes traffic between all subnets within a virtual network, by default. You can create your own routes to override Azure's default routing. The ability to create custom routes is helpful if, for example, you want to route traffic between subnets through a network virtual appliance (NVA). In this tutorial, you learn how to:
[!div class="checklist"]
- Create a route table
- Create a route
- Create a virtual network with multiple subnets
- Associate a route table to a subnet
- Create an NVA that routes traffic
- Deploy virtual machines (VM) into different subnets
- Route traffic from one subnet to another through an NVA
If you prefer, you can complete this tutorial using the Azure CLI or Azure PowerShell.
If you don't have an Azure subscription, create a free account before you begin.
Log in to the Azure portal at http://portal.azure.com.
-
Select + Create a resource on the upper, left corner of the Azure portal.
-
Select Networking, and then select Route table.
-
Enter, or select, the following information, accept the default for the remaining setting, and then select Create:
Setting Value Name myRouteTablePublic Subscription Select your subscription. Resource group Select Create new and enter myResourceGroup. Location East US 
-
In the Search resources, services, and docs box at the top of the portal, begin typing myRouteTablePublic. When myRouteTablePublic appears in the search results, select it.
-
Under SETTINGS, select Routes and then select + Add, as shown in the following picture:
-
Under Add route, enter, or select, the following information, accept the default for the remaining settings, and then select Create:
Setting Value Route name ToPrivateSubnet Address prefix 10.0.1.0/24 Next hop type Select Virtual appliance. Next hop address 10.0.2.4
Before you can associate a route table to a subnet, you have to create a virtual network and subnet, then you can associate the route table to a subnet:
-
Select + Create a resource on the upper, left corner of the Azure portal.
-
Select Networking, and then select Virtual network.
-
Under Create virtual network, Enter, or select, the following information, accept the default for the remaining settings, and then select Create:
Setting Value Name myVirtualNetwork Address space 10.0.0.0/16 Subscription Select your subscription. Resource group Select Use existing and then select myResourceGroup. Location Select East US Subnet name Public Address range 10.0.0.0/24 -
In the Search resources, services, and docs box at the top of the portal, begin typing myVirtualNetwork. When myVirtualNetwork appears in the search results, select it.
-
Under SETTINGS, select Subnets and then select + Subnet, as shown in the following picture:
-
Select or enter the following information, then select OK:
Setting Value Name Private Address space 10.0.1.0/24 -
Complete steps 5 and 6 again, providing the following information:
Setting Value Name DMZ Address space 10.0.2.0/24 -
The myVirtualNetwork - Subnets box is displayed after completing the previous step. Under SETTINGS, select Subnets and then select Public.
-
As shown in the following picture, select Route table, select MyRouteTablePublic, and then select Save:
An NVA is a VM that performs a network function, such as routing, firewalling, or WAN optimization.
-
Select + Create a resource on the upper, left corner of the Azure portal.
-
Select Compute, and then select Windows Server 2016 Datacenter. You can select a different operating system, but the remaining steps assume you selected Windows Server 2016 Datacenter.
-
Select or enter the following information for Basics, then select OK:
Setting Value Name myVmNva User name Enter a user name of your choosing. Password Enter a password of your choosing. The password must be at least 12 characters long and meet the defined complexity requirements. Resource group Select Use existing and then select myResourceGroup. Location Select East US. -
Select a VM size under Choose a size.
-
Select or enter the following information for Settings, then select OK:
Setting Value Virtual network myVirtualNetwork - If it's not selected, select Virtual network, then select myVirtualNetwork under Choose virtual network. Subnet Select Subnet and then select DMZ under Choose subnet. Public IP address Select Public IP address and select None under Choose public IP address. No public IP address is assigned to this VM since it won't be connected to from the internet. -
Under Create in the Summary, select Create to start the VM deployment.
The VM takes a few minutes to create. Do not continue to the next step until Azure finishes creating the VM and opens a box with information about the VM.
-
In the box that opened for the VM after it was created, under SETTINGS, select Networking, and then select myvmnva158 (the network interface Azure created for your VM has a different number after myvmnva), as shown in the following picture:
-
For a network interface to be able to forward network traffic sent to it, that is not destined for its own IP address, IP forwarding must be enabled for the network interface. Under SETTINGS, select IP configurations, select Enabled for IP forwarding, and then select Save, as shown in the following picture:
Create two VMs in the virtual network, so that you can validate that traffic from the Public subnet is routed to the Private subnet through the NVA in a later step. Complete steps 1-6 of Create a NVA. Use the same settings in steps 3 and 5, except for the following changes:
| Virtual machine name | Subnet | Public IP address |
|---|---|---|
| myVmPublic | Public | Accept portal default |
| myVmPrivate | Private | Accept portal default |
You can create the myVmPrivate VM while Azure creates the myVmPublic VM. Do not continue with the following steps until Azure finishes creating both VMs.
-
In the Search box at the top of the portal, begin typing myVmPrivate. When the myVmPrivate VM appears in the search results, select it.
-
Create a remote desktop connection to the myVmPrivate VM by selecting Connect, as shown in the following picture:
-
To connect to the VM, open the downloaded RDP file. If prompted, select Connect.
-
Enter the user name and password you specified when creating the VM (you may need to select More choices, then Use a different account, to specify the credentials you entered when you created the VM), then select OK.
-
You may receive a certificate warning during the sign-in process. Select Yes to proceed with the connection.
-
In a later step, the trace route tool is used to test routing. Trace route uses the Internet Control Message Protocol (ICMP), which is denied through the Windows Firewall. Enable ICMP through the Windows firewall by entering the following command from PowerShell on the myVmPrivate VM:
New-NetFirewallRule –DisplayName “Allow ICMPv4-In” –Protocol ICMPv4
Though trace route is used to test routing in this tutorial, allowing ICMP through the Windows Firewall for production deployments is not recommended.
-
You enabled IP forwarding within Azure for the VM's network interface in Enable IP forwarding. Within the VM, the operating system, or an application running within the VM, must also be able to forward network traffic. Enable IP forwarding within the operating system of the myVmNva VM:
From a command prompt on the myVmPrivate VM, remote desktop to the myVmNva VM:
mstsc /v:myvmnvaTo enable IP forwarding within the operating system, enter the following command in PowerShell from the myVmNva VM:
Set-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -Name IpEnableRouter -Value 1
Restart the myVmNva VM, which also disconnects the remote desktop session.
-
While still connected to the myVmPrivate VM, create a remote desktop session to the myVmPublic VM, after the myVmNva VM restarts:
mstsc /v:myVmPublicEnable ICMP through the Windows firewall by entering the following command from PowerShell on the myVmPublic VM:
New-NetFirewallRule –DisplayName “Allow ICMPv4-In” –Protocol ICMPv4
-
To test routing of network traffic to the myVmPrivate VM from the myVmPublic VM, enter the following command from PowerShell on the myVmPublic VM:
tracert myVmPrivateThe response is similar to the following example:
Tracing route to myVmPrivate.vpgub4nqnocezhjgurw44dnxrc.bx.internal.cloudapp.net [10.0.1.4] over a maximum of 30 hops: 1 <1 ms * 1 ms 10.0.2.4 2 1 ms 1 ms 1 ms 10.0.1.4 Trace complete.You can see that the first hop is 10.0.2.4, which is the NVA's private IP address. The second hop is 10.0.1.4, the private IP address of the myVmPrivate VM. The route added to the myRouteTablePublic route table and associated to the Public subnet caused Azure to route the traffic through the NVA, rather than directly to the Private subnet.
-
Close the remote desktop session to the myVmPublic VM, which leaves you still connected to the myVmPrivate VM.
-
To test routing of network traffic to the myVmPublic VM from the myVmPrivate VM, enter the following command from a command prompt on the myVmPrivate VM:
tracert myVmPublicThe response is similar to the following example:
Tracing route to myVmPublic.vpgub4nqnocezhjgurw44dnxrc.bx.internal.cloudapp.net [10.0.0.4] over a maximum of 30 hops: 1 1 ms 1 ms 1 ms 10.0.0.4 Trace complete.You can see that traffic is routed directly from the myVmPrivate VM to the myVmPublic VM. By default, Azure routes traffic directly between subnets.
-
Close the remote desktop session to the myVmPrivate VM.
When no longer needed, delete the resource group and all resources it contains:
- Enter myResourceGroup in the Search box at the top of the portal. When you see myResourceGroup in the search results, select it.
- Select Delete resource group.
- Enter myResourceGroup for TYPE THE RESOURCE GROUP NAME: and select Delete.
In this tutorial, you created a route table and associated it to a subnet. You created a simple NVA that routed traffic from a public subnet to a private subnet. Deploy a variety of pre-configured NVAs that perform network functions such as firewall and WAN optimization from the Azure Marketplace. To learn more about routing, see Routing overview and Manage a route table.
While you can deploy many Azure resources within a virtual network, resources for some Azure PaaS services cannot be deployed into a virtual network. You can still restrict access to the resources of some Azure PaaS services to traffic only from a virtual network subnet though. To learn how to restrict network access to Azure PaaS resources, advance to the next tutorial.
[!div class="nextstepaction"] Restrict network access to PaaS resources